diff --git a/CHANGELOG.md b/CHANGELOG.md index ac979452d..8ceb70b5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ ### Changed +- Default base image is changed to `gcr.io/etcd-development/etcd`, default etcd version is `3.2.10`. + ### Removed ### Fixed diff --git a/README.md b/README.md index ecb226e6b..744d29bc9 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ See the [Resources and Labels](./doc/user/resource_labels.md) doc for an overvie ## Requirements - Kubernetes 1.8+ -- etcd 3.1+ +- etcd 3.2.10+ ## Demo @@ -101,7 +101,7 @@ metadata: name: "example-etcd-cluster" spec: size: 5 - version: "3.1.8" + version: "3.2.10" ``` Apply the size change to the cluster CR: @@ -129,7 +129,7 @@ metadata: name: "example-etcd-cluster" spec: size: 3 - version: "3.1.8" + version: "3.2.10" ``` ``` $ kubectl apply -f example/example-etcd-cluster.yaml @@ -214,20 +214,21 @@ example-etcd-cluster-0003 1/1 Running 0 1m Have the following yaml file ready: ``` -$ cat 3.0-etcd-cluster.yaml +$ cat upgrade-example.yaml apiVersion: "etcd.database.coreos.com/v1beta2" kind: "EtcdCluster" metadata: name: "example-etcd-cluster" spec: size: 3 - version: "3.0.16" + version: "3.1.10" + baseImage: "quay.io/coreos/etcd" ``` -Create an etcd cluster with the version specified (3.0.16) in the yaml file: +Create an etcd cluster with the version specified (3.1.10) in the yaml file: ``` -$ kubectl apply -f 3.0-etcd-cluster.yaml +$ kubectl apply -f upgrade-example.yaml $ kubectl get pods NAME READY STATUS RESTARTS AGE example-etcd-cluster-0000 1/1 Running 0 37s @@ -235,37 +236,37 @@ example-etcd-cluster-0001 1/1 Running 0 25s example-etcd-cluster-0002 1/1 Running 0 14s ``` -The container image version should be 3.0.16: +The container image version should be 3.1.10: ``` $ kubectl get pod example-etcd-cluster-0000 -o yaml | grep "image:" | uniq - image: quay.io/coreos/etcd:v3.0.16 + image: quay.io/coreos/etcd:v3.1.10 ``` -Now modify the file `3.0-etcd-cluster.yaml` and change the `version` from 3.0.16 to 3.1.8: +Now modify the file `upgrade-example` and change the `version` from 3.1.10 to 3.2.10: ``` -$ cat 3.0-etcd-cluster.yaml +$ cat upgrade-example apiVersion: "etcd.database.coreos.com/v1beta2" kind: "EtcdCluster" metadata: name: "example-etcd-cluster" spec: size: 3 - version: "3.1.8" + version: "3.2.10" ``` Apply the version change to the cluster CR: ``` -$ kubectl apply -f 3.0-etcd-cluster.yaml +$ kubectl apply -f upgrade-example ``` -Wait ~30 seconds. The container image version should be updated to v3.1.8: +Wait ~30 seconds. The container image version should be updated to v3.2.10: ``` $ kubectl get pod example-etcd-cluster-0000 -o yaml | grep "image:" | uniq - image: quay.io/coreos/etcd:v3.1.8 + image: gcr.io/etcd-development/etcd:v3.2.10 ``` Check the other two pods and you should see the same result. diff --git a/doc/user/cluster_tls.md b/doc/user/cluster_tls.md index 6c88e19ec..b8ef7110f 100644 --- a/doc/user/cluster_tls.md +++ b/doc/user/cluster_tls.md @@ -35,8 +35,8 @@ The example cluster YAML manifest and example certs can be found in [example/tls The peer TLS assets should have the following: - **peer.crt**: peer communication cert. - The certificate should allow wildcard domain `*.${clusterName}.${namespace}.svc`. - In this case, it is `*.example.default.svc`. + The certificate should allow wildcard domain `*.${clusterName}.${namespace}.svc` and `*.${clusterName}.${namespace}.svc.${cluster_domain}`. + In our case, it is `*.example.default.svc` and `*.example.default.svc.cluster.local`. - **peer.key**: peer communication key. - **peer-ca.crt**: CA cert for this peer key-cert pair. diff --git a/doc/user/spec_examples.md b/doc/user/spec_examples.md index 10875920e..67b0d691d 100644 --- a/doc/user/spec_examples.md +++ b/doc/user/spec_examples.md @@ -14,7 +14,7 @@ This will use default version that etcd operator chooses. ```yaml spec: size: 3 - version: "3.1.8" + version: "3.2.10" ``` ### Three members cluster with node selector and anti-affinity diff --git a/doc/user/walkthrough/backup-operator.md b/doc/user/walkthrough/backup-operator.md index 4732d00bc..29b640ca7 100644 --- a/doc/user/walkthrough/backup-operator.md +++ b/doc/user/walkthrough/backup-operator.md @@ -70,7 +70,7 @@ apiVersion: etcd.database.coreos.com/v1beta2 kind: EtcdBackup ... status: - s3Path: mybucket/v1/default/example-etcd-cluster/3.1.8_0000000000000001_etcd.backup + s3Path: mybucket/v1/default/example-etcd-cluster/3.2.10_0000000000000001_etcd.backup succeeded: true ``` diff --git a/doc/user/walkthrough/restore-operator.md b/doc/user/walkthrough/restore-operator.md index 92cf1f568..d99486d19 100644 --- a/doc/user/walkthrough/restore-operator.md +++ b/doc/user/walkthrough/restore-operator.md @@ -76,10 +76,10 @@ Create a Kubernetes secret that contains AWS credentials and config. This is use Create the `EtcdRestore` CR: ->Note: This example uses k8s secret "aws" and S3 path "mybucket/v1/default/example-etcd-cluster/3.1.8_0000000000000001_etcd.backup" +>Note: This example uses k8s secret "aws" and S3 path "mybucket/v1/default/example-etcd-cluster/3.2.10_0000000000000001_etcd.backup" ```sh -sed -e 's||mybucket/v1/default/example-etcd-cluster/3.1.8_0000000000000001_etcd.backup|g' \ +sed -e 's||mybucket/v1/default/example-etcd-cluster/3.2.10_0000000000000001_etcd.backup|g' \ -e 's||aws|g' \ example/etcd-restore-operator/restore_cr.yaml \ | kubectl create -f - diff --git a/example/etcd-restore-operator/restore_cr.yaml b/example/etcd-restore-operator/restore_cr.yaml index 03bf26cde..4abb9d8cc 100644 --- a/example/etcd-restore-operator/restore_cr.yaml +++ b/example/etcd-restore-operator/restore_cr.yaml @@ -6,9 +6,10 @@ metadata: spec: clusterSpec: size: 3 - version: "3.1.8" + version: 3.2.10 + baseImage: "gcr.io/etcd-development/etcd" s3: # The format of "path" must be: "/" - # e.g: "etcd-snapshot-bucket/v1/default/example-etcd-cluster/3.1.8_0000000000000001_etcd.backup" + # e.g: "etcd-snapshot-bucket/v1/default/example-etcd-cluster/3.2.10_0000000000000001_etcd.backup" path: awsSecret: diff --git a/example/example-etcd-cluster.yaml b/example/example-etcd-cluster.yaml index fabe9a8c0..df24971fb 100644 --- a/example/example-etcd-cluster.yaml +++ b/example/example-etcd-cluster.yaml @@ -4,4 +4,4 @@ metadata: name: "example-etcd-cluster" spec: size: 3 - version: "3.1.8" + version: "3.2.10" diff --git a/example/tls/certs/ca-config.json b/example/tls/certs/ca-config.json new file mode 100644 index 000000000..dba73de8f --- /dev/null +++ b/example/tls/certs/ca-config.json @@ -0,0 +1,34 @@ +{ + "signing": { + "default": { + "expiry": "43800h" + }, + "profiles": { + "server": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + }, + "client": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "client auth" + ] + }, + "peer": { + "expiry": "43800h", + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ] + } + } + } +} diff --git a/example/tls/certs/ca-csr.json b/example/tls/certs/ca-csr.json new file mode 100644 index 000000000..5b25a1023 --- /dev/null +++ b/example/tls/certs/ca-csr.json @@ -0,0 +1,16 @@ +{ + "CN": "My own CA", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "CA", + "O": "My Company Name", + "ST": "San Francisco", + "OU": "Org Unit 1" + } + ] +} diff --git a/example/tls/certs/etcd-client-ca.crt b/example/tls/certs/etcd-client-ca.crt index ecaa245bc..de68a15b9 100644 --- a/example/tls/certs/etcd-client-ca.crt +++ b/example/tls/certs/etcd-client-ca.crt @@ -1,22 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDujCCAqKgAwIBAgIUc1U4246CFKu48X11jNH1wol8R1IwDQYJKoZIhvcNAQEL +MIID3jCCAsagAwIBAgIUKXbvWUAgVnL7iVUcet3e4x1qH70wDQYJKoZIhvcNAQEL BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA4MDQwMDU1MDBaFw0yMjA4 -MDMwMDU1MDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv +bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzEwMzEyMjUzMDBaFw0yMjEw +MzAyMjUzMDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv MQswCQYDVQQHEwJDQTEYMBYGA1UEChMPTXkgQ29tcGFueSBOYW1lMRMwEQYDVQQL -EwpPcmcgVW5pdCAyMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDMzC1UukJS8nUJR/wS+65VvO0ifCQRY+i2sFZuoAYm -MuZDcVBBL4wklv3/A6PiK0PjoI4jeHvgsPl+/IxIazj3Wih/bJ0vPXqorettLbL2 -39YiaP6PUaTqK7UacCLGC+gWnQ/3BQ0ksRyJPhaj0y8F2dJXBMPjYa73j0CI3au9 -r4ENYk1gL5c97bp6nOElPaceVnxhdumQROkNwlYIP5Yg0NRHcvgmQpcd0YfxhYnd -3NrXy7TWYQWprTjDxN3P3VoecBSmmsa3NKHWmgXkb5oydfJ2quEAVxZyDNdyLEgd -TCWPXFmJCxRW8e0vg9R97EGuqAYuk7u2qvwZMeuljaifAgMBAAGjQjBAMA4GA1Ud -DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT8isnuZ7ofP3Op -W1cfE/N9nbLnBDANBgkqhkiG9w0BAQsFAAOCAQEAHi/Q9bF4/jYHYf07fOFsCQSF -A3b8w4fkEUifxHoBxmBBEytsKf0R9wcq21bJgQ4l76whM+Msqp6rtuJlIQL2Kn7z -zowgvYbkYyx8JUbLxKSv630n0QpnXlGkYgNpa0OKhvS4Ydr9BO6qB2Z1p8/5PdJx -FUs92nrD8b+ROS85YEbz5Txs0ztSWlvjs17WOIgQHaBGC651Z8RfLXfMefZEXARU -4hFHVOmwNOaA9PjOaH+AdpI6ShQNX7IhApRahdRxRMwaenE8OatQAaNr7mCjjw1h -7MmqiR65dhsYJNJcKRIN/heEc/jR4asXA4gmq5l0QnOUahbiRO9MGtG/yq2lFA== +EwpPcmcgVW5pdCAxMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDgwydE2HYdqTiz//bMSL/C4w2y4DDMjGZgNdo50VIl +QniiNDrPRB8Xt1fY4MO3VAyLWU934YKssrsqSDn1PE/Fcc5yURKaMc+rsSlGr8Qn +E/W551OuEIAKujPKhIIBk6X4mBVQWEQnjVskAD0aEjYtoo4I/+9F67Rklub5fXwE +ESsB5yf812zWSzC51Ls0s1Uc80h5buh4p7HtFDOY0oCNxNx2Ou21xn5qqpG/1flY +ReHHKmuvRWwnxQdQu+qrill8j/H48Ly6ZGSV47Qqiw7Hb2JK2vnsf95Pp8nEProU +53M5V5y5WHW8VH0sVgzjgc0rC0w0TCCQVkGUSttqFpdJAgMBAAGjZjBkMA4GA1Ud +DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSgWCYJFFoa +6O22U4MaelWJt3khUDAfBgNVHSMEGDAWgBSgWCYJFFoa6O22U4MaelWJt3khUDAN +BgkqhkiG9w0BAQsFAAOCAQEA1ELpWokOl1kwD5fbuROUZ9YedhXVRBWUKKluqQCr +eUUU7x/txKZ4xRYr3s1ltuUjxOMs5XbJSJq1z3tifDQ1srDjyU2CkKtZfjX5xmaS +QHCEJv/WgC6SBHGVYAgZ1hONPN2WpWxDYOLf6seonLszCHLkHMmjub8uFi/TSP8x +5OQ2SYLpHQDQcb3xlwk6+09ZuihAzWAgNAOvW+cNrunlD7N+BBTWMZmugKzqk0BT +avTn+p4dimFk528Iz+bk2uCfmF9WlnHm9DmlwCwM4PioGND7ag1VXAsgkqRWGa3k +uCP+NP3PpnGJLfxV5u20YlNLJk8bVFMB6FoFMafREVMQBA== -----END CERTIFICATE----- diff --git a/example/tls/certs/etcd-client.crt b/example/tls/certs/etcd-client.crt index d5b53a83b..20697eb91 100644 --- a/example/tls/certs/etcd-client.crt +++ b/example/tls/certs/etcd-client.crt @@ -1,19 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIC/zCCAeegAwIBAgIUFIXoPvxUJb0gJxyvZafxQoOjRLwwDQYJKoZIhvcNAQEL +MIIDzzCCAregAwIBAgIUFr+6DAbtFSnfqm4Aup/yPagMWB8wDQYJKoZIhvcNAQEL BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA4MDcxOTM2MDBaFw0yMjA4 -MDYxOTM2MDBaMEMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN -U2FuIEZyYW5jaXNjbzEPMA0GA1UEAxMGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZI -zj0DAQcDQgAEgh6z4iNScKvQSwnb+t3ER4MMPgZBDxHAwGLOYRfpRK1UWcufECGP -AaZP1efP+IRnul4dhEsy6HS8eJmmx9jAjqOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAw -EwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+qZP -vBpJQHo9GbVObVkZ4/i6LIswHwYDVR0jBBgwFoAU/IrJ7me6Hz9zqVtXHxPzfZ2y -5wQwCwYDVR0RBAQwAoIAMA0GCSqGSIb3DQEBCwUAA4IBAQCgq/fFtMgjFoNH73+p -gGO6XLru+/6g0R9tTY7oEeXLCb6y60Uihb+JZnVe3L+VB0/cPtn3BXw1ymFp53Y9 -RXJma2kqjjVv8ssQ8lDuIYEMAfDDxsvDKZWYDu2dVLtDFGMFK6kCREpyXy5JtEky -yF+4kOUhm7LRKkm0simgg/JHp34mrrMizrVrKbg8Wyca2emE6hUwBRBOoQt8THd7 -NJ11FHiX5LA5Fp0J5bbyXqF4zZ7kIE3Pv9QKI33lsOlRi6coCGyv2R0005GU2Fqb -rfOIcifaf1Z9ipVSrqlaD0/qLVD7DjXmL6eP0UVoGU+XySlcyXMPlKYbsP3SnYdu -bjzH +bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzEwMzEyMjUzMDBaFw0yMjEw +MzAyMjUzMDBaMEgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv +MQswCQYDVQQHEwJDQTEUMBIGA1UEAxMLZXRjZCBjbGllbnQwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDBA3WhHLwWPFeaqsDIvwkqnszPIiCpyDdLkpTx +XcjM6PTiA/hA2y3WRlcQrBsPAcGyj3V+fGxOCGTIktoKLvFk4GjGR6zw+hfIGwSe +hbuPAQnkaoCsctrgeRjyv7TUb9N4KzXOYfP/RHAtZxh+91gmo/oF/kgzJz+MFR/y +OodBzzdXp7ZAumt0HUB5kqDxQDNXftnquK0WWvjU9geoYwFuHZ4J25p18RmMkL7p +hAWK+MB8+DgTMDP3SGh7SwdVS41UJhJTxK6C/ebj5fMjMNmsinAtCt39pvgwcP7y +p3k/IPoXxWBqRaC3NZW8Mq/dFVMVdcDZ9kzXWiRuvVnCpwzzAgMBAAGjgYMwgYAw +DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQC +MAAwHQYDVR0OBBYEFNJTsiGVvKItIERnVbqCz9kpQoDyMB8GA1UdIwQYMBaAFKBY +JgkUWhro7bZTgxp6VYm3eSFQMAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsFAAOC +AQEAjleSdnxhceY4/muz9HsC1Fk9Yh/KqkMZWMbKCSGyDGR27hS69RJ5VSpfHV6O +2BzXrhH7ygbnqGIl9BreBVOuYsNK/Z2l/h1vwRmehpjlht1LWQAYgSsS24RxgFSL +w2QREI+3hYtnOW7ESnnZTD5xlNJenR1iQx7+R+1Y4R2viqN6s8WF30p7q28EzBVR ++jlqezpwDhmIRTv91IQhrhmkn/xFtg0ZiIS/AGbjKpPKmVw19mweh2TRscV1V8Gk +0nCV8xvREELZyFLNyXdlkhVMyE2f0Dp4uYcPwuPlGTFcQOmELirzi0Gw94WaoIPO +58JdskKHXTJdzbV15WYM/KD8Kw== -----END CERTIFICATE----- diff --git a/example/tls/certs/etcd-client.json b/example/tls/certs/etcd-client.json new file mode 100644 index 000000000..ff0b342d8 --- /dev/null +++ b/example/tls/certs/etcd-client.json @@ -0,0 +1,16 @@ +{ + "CN": "etcd client", + "hosts": [""], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "CA", + "ST": "San Francisco" + } + ] +} + diff --git a/example/tls/certs/etcd-client.key b/example/tls/certs/etcd-client.key index ab12cbbcf..4a19bca1b 100644 --- a/example/tls/certs/etcd-client.key +++ b/example/tls/certs/etcd-client.key @@ -1,5 +1,27 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIFuA5AKbtdPPtIpE5PFq9oM8jMv3UYulHVoGSo5mOSQ6oAoGCCqGSM49 -AwEHoUQDQgAEgh6z4iNScKvQSwnb+t3ER4MMPgZBDxHAwGLOYRfpRK1UWcufECGP -AaZP1efP+IRnul4dhEsy6HS8eJmmx9jAjg== ------END EC PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAwQN1oRy8FjxXmqrAyL8JKp7MzyIgqcg3S5KU8V3IzOj04gP4 +QNst1kZXEKwbDwHBso91fnxsTghkyJLaCi7xZOBoxkes8PoXyBsEnoW7jwEJ5GqA +rHLa4HkY8r+01G/TeCs1zmHz/0RwLWcYfvdYJqP6Bf5IMyc/jBUf8jqHQc83V6e2 +QLprdB1AeZKg8UAzV37Z6ritFlr41PYHqGMBbh2eCduadfEZjJC+6YQFivjAfPg4 +EzAz90hoe0sHVUuNVCYSU8Sugv3m4+XzIzDZrIpwLQrd/ab4MHD+8qd5PyD6F8Vg +akWgtzWVvDKv3RVTFXXA2fZM11okbr1ZwqcM8wIDAQABAoIBAQCF26tZl/8NgL3U +wzU+Q9bMmyM5R9bVSMiofbkUB9G54pnqoYwrFpacc13wbxu49aPq/TkkBpBqMcIL +pGTZCSNarZOcZ5sV6KxTmAFFG0Qvci31HrOsZV9MrE9UEwYLCp7jSTxgrGg2kbUm +l8hSTaHx8mj0fRx/dWnJ8eCc8mBZj3LO6A9w1bSa53LGh5LggyxDFwRfECXcUEAI +RWFkP8QWVweSzbScHomVEQ3Wn0isBgMF3s5hcdvu6txkS+p12/M7ZXk1cgXZTNtM +6WUhX/uP/NrcA4b5NIRiW5hQ0qgGsCcVD7Tq3fBHZbt6dfRsPE+XIkQF79lmIRIu +DYeamONxAoGBANktHJ25DJ9lB99kIF8wTm1F0Xv1rfkz2YrW38MVhOErDfDurgTk +4VTcIfV8gNTmI/LLIOvk9B2nzm2wWJWFO2XRdEuTbWjQQn/po8G5mEKieYiHFHY1 +0vx2HrwzZAtuxz0ceHC6aEoYg76w4a7ILiSw4eoMsIBjci7Q8kO3HUPJAoGBAOOE +j812IJylsdPiYAFlnqmm4+XPqXnXA8juUzlZr69GTgtwb0o6ZmnvmNPwErBXPwaB +DzWauENu5Tg1PxBjxBCxCjDlJcizhbGNaGLn8TphVpzg3roIWEqn6LR8es7WGao1 +H9TyUSKGCSqCnszVhdBw+DyFxnKCKi8VXbHfFZDbAoGBAI6POlWef1aybzSI+WcC +wrigOB7y6rzG+GpXGpNosM1OAdzCEKFNzUxzJCeNDtSyLa7XAElZBZXh7XO7aqrb +xl3T3E8v+4XuD3j/2Wr1daloFfc1FI10T4dB0nMgGPAYS9klsznsY0EgTnsCiWK+ +LOwQ4HtO0R22KeHpbt5ceW1hAoGBAJ3TWUX3ycugjWkkQeD2M0gQg0rp8PCaHQAH +gyfndR2rMXxx9GGTfXPDR0rN4Mj+3LOQV5Khz2zHwq5pEWQ3MM07YoxkiP9euUFf +jKf/qbEL0N9mhlqaa1TugViieTZ+ArO1wm0f4vSF8lnQ3oPNItRjaW/ihLTuYoDi +22oGDJm9AoGAS7rQk9SkMvg0miOGJJSKPwhLjvPRLxYWE/X9DkSpJPLdlay7LXj2 +o9kytsNQ305U+aB55h1MkpI22TxClFIJ0YiPHOoYuvvEJ6YCpphZiNdRQVT/8Unv +sCV40oCU+RDsJNC4FAuVnXAovdT1VHkhZum7i25oto+C0hdZGpSlloM= +-----END RSA PRIVATE KEY----- diff --git a/example/tls/certs/gen-cert.sh b/example/tls/certs/gen-cert.sh new file mode 100755 index 000000000..7ca299294 --- /dev/null +++ b/example/tls/certs/gen-cert.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +echo "generating CA certs ===" +cfssl gencert -initca ca-csr.json | cfssljson -bare ca - + +echo "generating etcd peer certs ===" +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer peer.json | cfssljson -bare peer + +echo "generating etcd server certs ===" +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server + +echo "generating etcd client certs ===" +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client etcd-client.json | cfssljson -bare etcd-client + +mv etcd-client.pem etcd-client.crt +mv etcd-client-key.pem etcd-client.key +cp ca.pem etcd-client-ca.crt + +mv server.pem server.crt +mv server-key.pem server.key +cp ca.pem server-ca.crt + +mv peer.pem peer.crt +mv peer-key.pem peer.key +mv ca.pem peer-ca.crt + +rm *.csr ca-key.pem diff --git a/example/tls/certs/peer-ca.crt b/example/tls/certs/peer-ca.crt index ecaa245bc..de68a15b9 100644 --- a/example/tls/certs/peer-ca.crt +++ b/example/tls/certs/peer-ca.crt @@ -1,22 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDujCCAqKgAwIBAgIUc1U4246CFKu48X11jNH1wol8R1IwDQYJKoZIhvcNAQEL +MIID3jCCAsagAwIBAgIUKXbvWUAgVnL7iVUcet3e4x1qH70wDQYJKoZIhvcNAQEL BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA4MDQwMDU1MDBaFw0yMjA4 -MDMwMDU1MDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv +bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzEwMzEyMjUzMDBaFw0yMjEw +MzAyMjUzMDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv MQswCQYDVQQHEwJDQTEYMBYGA1UEChMPTXkgQ29tcGFueSBOYW1lMRMwEQYDVQQL -EwpPcmcgVW5pdCAyMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDMzC1UukJS8nUJR/wS+65VvO0ifCQRY+i2sFZuoAYm -MuZDcVBBL4wklv3/A6PiK0PjoI4jeHvgsPl+/IxIazj3Wih/bJ0vPXqorettLbL2 -39YiaP6PUaTqK7UacCLGC+gWnQ/3BQ0ksRyJPhaj0y8F2dJXBMPjYa73j0CI3au9 -r4ENYk1gL5c97bp6nOElPaceVnxhdumQROkNwlYIP5Yg0NRHcvgmQpcd0YfxhYnd -3NrXy7TWYQWprTjDxN3P3VoecBSmmsa3NKHWmgXkb5oydfJ2quEAVxZyDNdyLEgd -TCWPXFmJCxRW8e0vg9R97EGuqAYuk7u2qvwZMeuljaifAgMBAAGjQjBAMA4GA1Ud -DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT8isnuZ7ofP3Op -W1cfE/N9nbLnBDANBgkqhkiG9w0BAQsFAAOCAQEAHi/Q9bF4/jYHYf07fOFsCQSF -A3b8w4fkEUifxHoBxmBBEytsKf0R9wcq21bJgQ4l76whM+Msqp6rtuJlIQL2Kn7z -zowgvYbkYyx8JUbLxKSv630n0QpnXlGkYgNpa0OKhvS4Ydr9BO6qB2Z1p8/5PdJx -FUs92nrD8b+ROS85YEbz5Txs0ztSWlvjs17WOIgQHaBGC651Z8RfLXfMefZEXARU -4hFHVOmwNOaA9PjOaH+AdpI6ShQNX7IhApRahdRxRMwaenE8OatQAaNr7mCjjw1h -7MmqiR65dhsYJNJcKRIN/heEc/jR4asXA4gmq5l0QnOUahbiRO9MGtG/yq2lFA== +EwpPcmcgVW5pdCAxMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDgwydE2HYdqTiz//bMSL/C4w2y4DDMjGZgNdo50VIl +QniiNDrPRB8Xt1fY4MO3VAyLWU934YKssrsqSDn1PE/Fcc5yURKaMc+rsSlGr8Qn +E/W551OuEIAKujPKhIIBk6X4mBVQWEQnjVskAD0aEjYtoo4I/+9F67Rklub5fXwE +ESsB5yf812zWSzC51Ls0s1Uc80h5buh4p7HtFDOY0oCNxNx2Ou21xn5qqpG/1flY +ReHHKmuvRWwnxQdQu+qrill8j/H48Ly6ZGSV47Qqiw7Hb2JK2vnsf95Pp8nEProU +53M5V5y5WHW8VH0sVgzjgc0rC0w0TCCQVkGUSttqFpdJAgMBAAGjZjBkMA4GA1Ud +DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSgWCYJFFoa +6O22U4MaelWJt3khUDAfBgNVHSMEGDAWgBSgWCYJFFoa6O22U4MaelWJt3khUDAN +BgkqhkiG9w0BAQsFAAOCAQEA1ELpWokOl1kwD5fbuROUZ9YedhXVRBWUKKluqQCr +eUUU7x/txKZ4xRYr3s1ltuUjxOMs5XbJSJq1z3tifDQ1srDjyU2CkKtZfjX5xmaS +QHCEJv/WgC6SBHGVYAgZ1hONPN2WpWxDYOLf6seonLszCHLkHMmjub8uFi/TSP8x +5OQ2SYLpHQDQcb3xlwk6+09ZuihAzWAgNAOvW+cNrunlD7N+BBTWMZmugKzqk0BT +avTn+p4dimFk528Iz+bk2uCfmF9WlnHm9DmlwCwM4PioGND7ag1VXAsgkqRWGa3k +uCP+NP3PpnGJLfxV5u20YlNLJk8bVFMB6FoFMafREVMQBA== -----END CERTIFICATE----- diff --git a/example/tls/certs/peer.crt b/example/tls/certs/peer.crt index c3af0c235..6ce674901 100644 --- a/example/tls/certs/peer.crt +++ b/example/tls/certs/peer.crt @@ -1,20 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIDQTCCAimgAwIBAgIUNECwYoda6apOEEzxnfd2DdjV99MwDQYJKoZIhvcNAQEL +MIIEETCCAvmgAwIBAgIUY5HWQmhEKqvuoS4dGe74MUpfp+swDQYJKoZIhvcNAQEL BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA4MDcxOTM2MDBaFw0yMjA4 -MDYxOTM2MDBaMEExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN -U2FuIEZyYW5jaXNjbzENMAsGA1UEAxMEcGVlcjBZMBMGByqGSM49AgEGCCqGSM49 -AwEHA0IABM0GMGsC9zBllmEySc89fvw74YfApAtfmTUCKRTOQRzhTUlSkBInxF8/ -peNVDxmwcIxsYvcK0/lf8b0UoDJz/pijgccwgcQwDgYDVR0PAQH/BAQDAgWgMB0G -A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud -DgQWBBSJhk5lq3enyT+WrfdX+g9S3EARmDAfBgNVHSMEGDAWgBT8isnuZ7ofP3Op -W1cfE/N9nbLnBDBFBgNVHREEPjA8ghUqLmV4YW1wbGUuZGVmYXVsdC5zdmOCIyou -ZXhhbXBsZS5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUA -A4IBAQBUdmkKdbOJC8/YyrnOWq9Iwhf8/CKFXmZC/eee3RFBAjUIt7ycr0JSAtZH -633xNFqZjqyuPjBB7n0PpRbzAR8/XKxXONSjJ5vVKKzS3xNZ8SbugMUwrqO2mNJ8 -Hv9udETj6ipk6UtYpMMyEB36mWZGT+kJrRhwsl+Nu+0EXBmxJewtBseYSiF8zVRy -lihtc49ulfqYR7MlcZabH4fUYDZY4MgioY+qnVwTmkv2PCm4MnJJ7rKnsUyUzrEZ -icf52clxy9nkJ5MhPnX+jRGLjvZiznHoubJfHgC24yGuAU0VYAgohZ/Q1uBoC8ID -lqm4DZiwaTi9neS7M3ddmySmdol/ +bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzEwMzEyMjUzMDBaFw0yMjEw +MzAyMjUzMDBaMEYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv +MQswCQYDVQQHEwJDQTESMBAGA1UEAxMJZXRjZCBwZWVyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAzvv3cmbiO5Q68T6VF+UJq0hlI5zs+AUhnhEF9Oth +L52oOckQGSt9RiuywBKmBsESFLm+gfP6waQFvVl4QazckTCIZx2qze0sfxQzWWNI +xySePfx7E/aZvWVfeJROMLRVZ530K2K0zPdCc1vxyGTkpFSg6qO5pY6g2appfKIZ +zF+HE1exDgagCvFpnQ3zheSY6F4S47r4UMnH6aeSGsyE1RZVL91K9+MURRjjpr/1 +ySB+It4wfk458g6RiNuKtm4NtQRDkaf4zki4paiRVAz8418k0tL9pWzdbxk9LWJx +Jy4tHmy/m9h4lT8wS0Fav4J5SlWJwxqTWlco3fUgrSgOfQIDAQABo4HHMIHEMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD +VR0TAQH/BAIwADAdBgNVHQ4EFgQUXHY98bMHb7Jq5VmVOk+cvqJT2tAwHwYDVR0j +BBgwFoAUoFgmCRRaGujttlODGnpVibd5IVAwRQYDVR0RBD4wPIIVKi5leGFtcGxl +LmRlZmF1bHQuc3ZjgiMqLmV4YW1wbGUuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2Nh +bDANBgkqhkiG9w0BAQsFAAOCAQEAqnJ4DgqC5JZYYjrQdGHP9NQ8fUyy2AVT9KOj +s6Ik/bTtwSJ7vTEG+yFDJSlyAWLPYl09rXm+aQ73FFKZihN5ptqpQjyjfqh3jfoC +DjzFNSxOoGJMwNufLZezD1P3JE26EZPnt9rBd6EGKgDfSMSKCSTjYYpSP93OM816 +3dUkbdiPzAtGN/Q9NFdYY42UyjXAj2c+hmPUr41pZSTW2lzNvLpXrB7nMZH6hjIX +7BemrTR0X+nG/wiJPKMAjizrhiXfMBA8eqo3fota98cDKDWdIKhgIFOZ26wJpoit +Hm1WUJCvgR6+Ujg3tIWTJdmMn3wnqlXKfM/uoihlV1DmHYw7pg== -----END CERTIFICATE----- diff --git a/example/tls/certs/peer.json b/example/tls/certs/peer.json new file mode 100644 index 000000000..e656a1e28 --- /dev/null +++ b/example/tls/certs/peer.json @@ -0,0 +1,19 @@ +{ + "CN": "etcd peer", + "hosts": [ + "*.example.default.svc", + "*.example.default.svc.cluster.local" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "CA", + "ST": "San Francisco" + } + ] +} + diff --git a/example/tls/certs/peer.key b/example/tls/certs/peer.key index 422244aa2..e429e299f 100644 --- a/example/tls/certs/peer.key +++ b/example/tls/certs/peer.key @@ -1,5 +1,27 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIKQyfgUIOrahPKKanNwuD32ufLunNPQEqIyFX/XBKPIxoAoGCCqGSM49 -AwEHoUQDQgAEzQYwawL3MGWWYTJJzz1+/Dvhh8CkC1+ZNQIpFM5BHOFNSVKQEifE -Xz+l41UPGbBwjGxi9wrT+V/xvRSgMnP+mA== ------END EC PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAzvv3cmbiO5Q68T6VF+UJq0hlI5zs+AUhnhEF9OthL52oOckQ +GSt9RiuywBKmBsESFLm+gfP6waQFvVl4QazckTCIZx2qze0sfxQzWWNIxySePfx7 +E/aZvWVfeJROMLRVZ530K2K0zPdCc1vxyGTkpFSg6qO5pY6g2appfKIZzF+HE1ex +DgagCvFpnQ3zheSY6F4S47r4UMnH6aeSGsyE1RZVL91K9+MURRjjpr/1ySB+It4w +fk458g6RiNuKtm4NtQRDkaf4zki4paiRVAz8418k0tL9pWzdbxk9LWJxJy4tHmy/ +m9h4lT8wS0Fav4J5SlWJwxqTWlco3fUgrSgOfQIDAQABAoIBAAOuu/JPHktNEddk +86YfLxLbEOGXUyf+f2CekOqQnYQJXArbJuwrt+jdsip0qnuIR9gSje8l9hon3upF +gzw35Ry4LlUXVAih5Z7FLzyx5YOVhTM5IL90LbwO56nviYyYSMS1LLjw4qKa65W9 +1wlnsiGyV8KU8yKc7QOyYnoTMD5QlJTMrIyQz0JJYXpnKJ7nUVkVVF2EaJANloYU +bh6hyWBayup6EcHNrvpaGejbp1Zd+ByTTy0O1vSc6c+nMozJWeZo8XgXuAtZAgth +3Yll7esUvBkwG/AFxO+ernD7oOFjEVNYXopph+jsQlBHxkxFhLTincicabyU81wv +UJ4Gv0kCgYEA2k0len5xQVXiRm2EeLvhs3gGwe+ymehgXorhznrlfZLcrB9dzGsj +nNKy59vwG45/oY+y2lA45WBY0wBvrRIY9yhAomukzXyKnDgcDnUDzwCO0bZ+0FIi +eGykyB8VRiOgDWuID2FXDLyBdcNwGj5nzHt1mL3rKTXcGzDC9Nmhfi8CgYEA8rqA +9NyRdNxwO2JVcK0LLx71E7s3xmAJHst2PecO/D/+GhNa/zyDk4rAYeTQsBHxjWp1 +mbjWiPF229QqZOQGVkXh9FoBYflAOHH1sgR6Lhpv5qr+Tcpabl1vLK0+RLLFS4Ta +nSzgoxMa/LepKontO237BPMje30HlKwraJFcHxMCgYEAqCZ+dPFKaaou5lLblGgc +PTJ5+g6ZQwYEnS5bKsHtXaGvSwHKLXhlcRm25vO56nAEDb1zZcgfW0ewg681Vlm3 +U0H1L2a9Be8lkZmCuvwVV/C1EgKBghOSK7J75w5SQ7mTQmMO5dHzzIKzMbO9+OkS +6SY7+dBogFDVXzhbI2EzjM8CgYEA56tYn9zRu/8V46gEMmoHDa93bKC5KE7LBahe +L9ET/XC6f3rP1GKWlsDMw+KXyCUoLrhYjCLeKJCGyGQlHmyBG+DRO96YCUHTqMwk +HAen8c7r1PaJiAfF7iahkLu9feY+5shju7Z0pVD75g8Jl/9S/PEIr/28dQWtsZnu +SHzMtx8CgYEAiSJ30r6jnp1fQbsYIaTaeHUwh8QDBlA5K71L0oBADTucPV3i5unV +BMFFZ97uH0NEhOGL4l2ZgzLX85Lk9abLrMP04TuxRxt6nPctPB8/RY0RdrwTtbmo +35YK9y08MtHOn7H5CRarrgOJAZPyk4VPdscP+xXNuIP4uS0Z0qLtdRI= +-----END RSA PRIVATE KEY----- diff --git a/example/tls/certs/server-ca.crt b/example/tls/certs/server-ca.crt index ecaa245bc..de68a15b9 100644 --- a/example/tls/certs/server-ca.crt +++ b/example/tls/certs/server-ca.crt @@ -1,22 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDujCCAqKgAwIBAgIUc1U4246CFKu48X11jNH1wol8R1IwDQYJKoZIhvcNAQEL +MIID3jCCAsagAwIBAgIUKXbvWUAgVnL7iVUcet3e4x1qH70wDQYJKoZIhvcNAQEL BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA4MDQwMDU1MDBaFw0yMjA4 -MDMwMDU1MDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv +bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzEwMzEyMjUzMDBaFw0yMjEw +MzAyMjUzMDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv MQswCQYDVQQHEwJDQTEYMBYGA1UEChMPTXkgQ29tcGFueSBOYW1lMRMwEQYDVQQL -EwpPcmcgVW5pdCAyMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDMzC1UukJS8nUJR/wS+65VvO0ifCQRY+i2sFZuoAYm -MuZDcVBBL4wklv3/A6PiK0PjoI4jeHvgsPl+/IxIazj3Wih/bJ0vPXqorettLbL2 -39YiaP6PUaTqK7UacCLGC+gWnQ/3BQ0ksRyJPhaj0y8F2dJXBMPjYa73j0CI3au9 -r4ENYk1gL5c97bp6nOElPaceVnxhdumQROkNwlYIP5Yg0NRHcvgmQpcd0YfxhYnd -3NrXy7TWYQWprTjDxN3P3VoecBSmmsa3NKHWmgXkb5oydfJ2quEAVxZyDNdyLEgd -TCWPXFmJCxRW8e0vg9R97EGuqAYuk7u2qvwZMeuljaifAgMBAAGjQjBAMA4GA1Ud -DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT8isnuZ7ofP3Op -W1cfE/N9nbLnBDANBgkqhkiG9w0BAQsFAAOCAQEAHi/Q9bF4/jYHYf07fOFsCQSF -A3b8w4fkEUifxHoBxmBBEytsKf0R9wcq21bJgQ4l76whM+Msqp6rtuJlIQL2Kn7z -zowgvYbkYyx8JUbLxKSv630n0QpnXlGkYgNpa0OKhvS4Ydr9BO6qB2Z1p8/5PdJx -FUs92nrD8b+ROS85YEbz5Txs0ztSWlvjs17WOIgQHaBGC651Z8RfLXfMefZEXARU -4hFHVOmwNOaA9PjOaH+AdpI6ShQNX7IhApRahdRxRMwaenE8OatQAaNr7mCjjw1h -7MmqiR65dhsYJNJcKRIN/heEc/jR4asXA4gmq5l0QnOUahbiRO9MGtG/yq2lFA== +EwpPcmcgVW5pdCAxMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDgwydE2HYdqTiz//bMSL/C4w2y4DDMjGZgNdo50VIl +QniiNDrPRB8Xt1fY4MO3VAyLWU934YKssrsqSDn1PE/Fcc5yURKaMc+rsSlGr8Qn +E/W551OuEIAKujPKhIIBk6X4mBVQWEQnjVskAD0aEjYtoo4I/+9F67Rklub5fXwE +ESsB5yf812zWSzC51Ls0s1Uc80h5buh4p7HtFDOY0oCNxNx2Ou21xn5qqpG/1flY +ReHHKmuvRWwnxQdQu+qrill8j/H48Ly6ZGSV47Qqiw7Hb2JK2vnsf95Pp8nEProU +53M5V5y5WHW8VH0sVgzjgc0rC0w0TCCQVkGUSttqFpdJAgMBAAGjZjBkMA4GA1Ud +DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSgWCYJFFoa +6O22U4MaelWJt3khUDAfBgNVHSMEGDAWgBSgWCYJFFoa6O22U4MaelWJt3khUDAN +BgkqhkiG9w0BAQsFAAOCAQEA1ELpWokOl1kwD5fbuROUZ9YedhXVRBWUKKluqQCr +eUUU7x/txKZ4xRYr3s1ltuUjxOMs5XbJSJq1z3tifDQ1srDjyU2CkKtZfjX5xmaS +QHCEJv/WgC6SBHGVYAgZ1hONPN2WpWxDYOLf6seonLszCHLkHMmjub8uFi/TSP8x +5OQ2SYLpHQDQcb3xlwk6+09ZuihAzWAgNAOvW+cNrunlD7N+BBTWMZmugKzqk0BT +avTn+p4dimFk528Iz+bk2uCfmF9WlnHm9DmlwCwM4PioGND7ag1VXAsgkqRWGa3k +uCP+NP3PpnGJLfxV5u20YlNLJk8bVFMB6FoFMafREVMQBA== -----END CERTIFICATE----- diff --git a/example/tls/certs/server.crt b/example/tls/certs/server.crt index db17a8930..d28c0921c 100644 --- a/example/tls/certs/server.crt +++ b/example/tls/certs/server.crt @@ -1,20 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIDSzCCAjOgAwIBAgIUCEndF4lq3BsoJhmMKz2MGQqDNXcwDQYJKoZIhvcNAQEL +MIIECzCCAvOgAwIBAgIUJ9A0ORmRWaag95KE7Mw7ZEeAsqwwDQYJKoZIhvcNAQEL BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA4MDcxOTM2MDBaFw0yMjA4 -MDYxOTM2MDBaMEMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN -U2FuIEZyYW5jaXNjbzEPMA0GA1UEAxMGc2VydmVyMFkwEwYHKoZIzj0CAQYIKoZI -zj0DAQcDQgAEZnrz4PrsNQBndYxzNM3Ht3Q5TNBixh7m3wI2b3AsCdpnlBzQsYvs -+uBpQz/QZejHAEoishLWPScXIYk5+Dar5aOBzzCBzDAOBgNVHQ8BAf8EBAMCBaAw -EwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUNgoS -soqjrEpGqEhlX2ffC63+r40wHwYDVR0jBBgwFoAU/IrJ7me6Hz9zqVtXHxPzfZ2y -5wQwVwYDVR0RBFAwToIVKi5leGFtcGxlLmRlZmF1bHQuc3ZjghpleGFtcGxlLWNs -aWVudC5kZWZhdWx0LnN2Y4IOZXhhbXBsZS1jbGllbnSCCWxvY2FsaG9zdDANBgkq -hkiG9w0BAQsFAAOCAQEAdJNgGTq8R6dE1tQRfPpROXJ43A+4IZeMm4nJOMT7IfOQ -S1Cm67yLUIg0YAtYU2dzsjpTtObCOjU+wv4SI2ytNVp1hwWp3+BhBXMoSJD7KMnv -dsJ7fqgG2C0xA2hUYrSSIST5g+b4hZ7Yn3Dto5dDa68IdADdlpx6IsFlnKqZhZpy -jRkegbQ4fkDId/eI5Q32KU60d06AKl1nX9P2x5KDHWaUWI4apjLt9V9iIelXyAdB -Z5wg7DhR+bzRCiX0PsSMyJj1wen2umw3VKrLtM5xIavXxZldmptuJTtXjNQ6N6en -dtGZVxB7TCJ8sFUUs7mzAUD+ruSeX3j6SvXl1FHsRw== +bml0IDExEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzEwMzEyMjUzMDBaFw0yMjEw +MzAyMjUzMDBaMEgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv +MQswCQYDVQQHEwJDQTEUMBIGA1UEAxMLZXRjZCBzZXJ2ZXIwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDHQ27rtTF+U5X67gpWf4tmAnG9P/p2PzVltqWi +jn2niHcAm3rA2ZyKa97REIg43j3K9+mfcah36fY6h567OfxuOU3MY5Nf7A/EchxZ +qqiGCyghwXBWs7kspucxr3KIrlZD8ZFshLDKwKJuHonxBqZgU90gCGrex+RnYRO3 +fUBWXTua/d+k5kKXSrpSYQhevZX3QxPwhBYc1a6tEgNcTi4hQWjNoVNVq0vySps3 +5eOzh/vD7Y6iFimp6EkRDfqfEUG9Vt1ngfILqP/P3chHVFkBPGLWYqGrD7jELmry +DtHfbFUuzZJcz4I5FxE6V0LdkOEbI7VGqLcCFokwzi3gCkF9AgMBAAGjgb8wgbww +DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC +MAAwHQYDVR0OBBYEFAt3OUO1pMZ4rQSzKbebIWE/PbYEMB8GA1UdIwQYMBaAFKBY +JgkUWhro7bZTgxp6VYm3eSFQMEcGA1UdEQRAMD6CFSouZXhhbXBsZS5kZWZhdWx0 +LnN2Y4IaZXhhbXBsZS1jbGllbnQuZGVmYXVsdC5zdmOCCWxvY2FsaG9zdDANBgkq +hkiG9w0BAQsFAAOCAQEAjdkgFCI0ySHIf3QyfckcoCpPVTU+S3g4gRp+RWGbQ2yp +pgAJBBG6tFZRu9VGhj2uDtqDxyp1igKs4aOA95Amm92/k9y8Xw1LMPNIdmst/1ol +UbLrFfhxwYbZTpn0FDESHrRNX8j5UlRFsoqcW6CXdem8DL2MB5eshnpKZMLABoqM +EzNRvfnJ4tkH9T949nJkjXcih/0UWg/S/P9MsXMxbXpuDxivynMcBUQxPfdkMzTV +BwogyJn/f508ahlmlwb0JM5D7RLhHndBP1hbs00KE8g927PkpL8QNBW/DL2bjS0y +UI/MmAWRZiP6LAj+3H12QbbCmG5LvY+Ujbz28qSuXg== -----END CERTIFICATE----- diff --git a/example/tls/certs/server.json b/example/tls/certs/server.json new file mode 100644 index 000000000..5dcd463da --- /dev/null +++ b/example/tls/certs/server.json @@ -0,0 +1,20 @@ +{ + "CN": "etcd server", + "hosts": [ + "*.example.default.svc", + "example-client.default.svc", + "localhost" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "CA", + "ST": "San Francisco" + } + ] +} + diff --git a/example/tls/certs/server.key b/example/tls/certs/server.key index 5207a3945..6963f2c54 100644 --- a/example/tls/certs/server.key +++ b/example/tls/certs/server.key @@ -1,5 +1,27 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIIsW5ZIz1MYn1tyXncmkBL81C8DWULIbd31qOJvH12VOoAoGCCqGSM49 -AwEHoUQDQgAEZnrz4PrsNQBndYxzNM3Ht3Q5TNBixh7m3wI2b3AsCdpnlBzQsYvs -+uBpQz/QZejHAEoishLWPScXIYk5+Dar5Q== ------END EC PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAx0Nu67UxflOV+u4KVn+LZgJxvT/6dj81Zbaloo59p4h3AJt6 +wNmcimve0RCION49yvfpn3God+n2Ooeeuzn8bjlNzGOTX+wPxHIcWaqohgsoIcFw +VrO5LKbnMa9yiK5WQ/GRbISwysCibh6J8QamYFPdIAhq3sfkZ2ETt31AVl07mv3f +pOZCl0q6UmEIXr2V90MT8IQWHNWurRIDXE4uIUFozaFTVatL8kqbN+Xjs4f7w+2O +ohYpqehJEQ36nxFBvVbdZ4HyC6j/z93IR1RZATxi1mKhqw+4xC5q8g7R32xVLs2S +XM+CORcROldC3ZDhGyO1Rqi3AhaJMM4t4ApBfQIDAQABAoIBADYtnIwUAPgDDAVl +EYSBO0qqIXi+W4ApIYCdT53KNloF3a1ZmN+0iz6Lo9KeNxuXOZ/lFi1W/uJTx7IU +S9FGK99gT0niTSDIk2TrTdAHebiwceHzsXKxfQip/LRiqraFCEmC9fJWhacrBz7/ +qKvTDguk4bui7kPSf8Sn/W9na8XPKssoPEzYR/sPUh3D8TcdrWZrS2R+6xaLr2Pm +Hi5ZtF9eW4n2biRxXvIFGI76BrFE8UlHcdau7YdTrHQhbLz+go43T02iV4eKdSzp +A3OJDyKbut4fTPWx4rlk1ysaianpdXDaFxXzZd7vXvLq5VfxO17D3Ti9uhjBQE9J +YzUbFPUCgYEA6s9aWhmmMtzoEBt2FngjfDrRxI2Yp0yASvh2bDCO+b5/P8F0uLKU +HcOmJG1949212nPQ9SDnRSSM9joRA3HKP/gRx8KGKoFsQadMnW7tOnEwKJvDWe6V +DypW36zI4YicJJOX+UbLHStom24Y7O7q59wp726p8piy3Sa/MHz2ZAcCgYEA2T7f +oBP76IuTDKOzk3QO0ow7fsVQCM28h2JLMYFnGQQksDvFgdeM4Y8dONrVVahXVH+N +7CAnZ5H3wFEXpXetyuwplEmhfzDnyERvi0udxmYrug0xOu+DCEJP3w7T4pHCDEho +Ea3sbwTmZC4ckfkR/gQKR8RxX2R/6n93rDj29VsCgYEAt3teA+flCfu6ztNWnEo2 +mF2yCuAGeDx8R5kNmI79OkRUVPKLjcPln7iBfBee9s8JynETyGh0r3/XMpS/NKzX +ONNUuX7UriRB/q+HW8IRV8iYtDK7HOwkyBvylIgE1M+WC7LVX3GlR97iuAn5KjOr +lZBhqHoWDL6rjco4PeB3/EMCgYEAvOCIJrIZOzZWdA/DqjimRnI7q90611ygRAi2 +nWUHUN2kVECzWE8iolz+KBdCkYWZ39JCfv/5ondrMp6Oc4NY62tmPxHBQkcvzZOK +c04b74mXDNw5aCcjAkQ9Ew7eM0dMsccmC/Dt9hwJfyIEHvmwpeu3UGw/sZM8D5Ih +Zu/j7q8CgYAv76kxhx/jxdX77FNflAhM7HK+hpcpJPzy/e/Jle+jbMki6d5lytCp +DjRPVsgVUV6FGOSLRcDzbOyfwVRJduToLox2UUGVJaPRid8D/Y5+HGs2yyKG7ubz +SzH3mMv+TDPFmVsKlECMUgr1aEKJRQf2KcLFioXZlLAIRuzDufnCnw== +-----END RSA PRIVATE KEY----- diff --git a/example/tls/example-tls-cluster.yaml b/example/tls/example-tls-cluster.yaml index a11820663..13266b7fe 100644 --- a/example/tls/example-tls-cluster.yaml +++ b/example/tls/example-tls-cluster.yaml @@ -4,14 +4,6 @@ metadata: name: "example" spec: size: 3 - backup: - # short snapshot interval for testing, do not use this in production! - backupIntervalInSecond: 30 - maxBackups: 5 - storageType: "PersistentVolume" - pv: - volumeSizeInMB: 512 - autoDelete: true TLS: static: member: diff --git a/pkg/apis/etcd/v1beta2/cluster.go b/pkg/apis/etcd/v1beta2/cluster.go index 3dbf7c164..939cda454 100644 --- a/pkg/apis/etcd/v1beta2/cluster.go +++ b/pkg/apis/etcd/v1beta2/cluster.go @@ -23,8 +23,8 @@ import ( ) const ( - defaultBaseImage = "quay.io/coreos/etcd" - defaultVersion = "3.1.8" + defaultBaseImage = "gcr.io/etcd-development/etcd" + defaultVersion = "3.2.10" ) var ( @@ -74,17 +74,17 @@ type ClusterSpec struct { // BaseImage is the base etcd image name that will be used to launch // etcd clusters. This is useful for private registries, etc. // - // If image is not set, default is quay.io/coreos/etcd + // If image is not set, default is gcr.io/etcd-development/etcd BaseImage string `json:"baseImage"` // Version is the expected version of the etcd cluster. // The etcd-operator will eventually make the etcd cluster version // equal to the expected version. // - // The version must follow the [semver]( http://semver.org) format, for example "3.1.8". + // The version must follow the [semver]( http://semver.org) format, for example "3.2.10". // Only etcd released versions are supported: https://github.com/coreos/etcd/releases // - // If version is not set, default is "3.1.8". + // If version is not set, default is "3.2.10". Version string `json:"version,omitempty"` // Paused is to pause the control of the operator for the etcd cluster. diff --git a/pkg/apis/etcd/v1beta2/restore_types.go b/pkg/apis/etcd/v1beta2/restore_types.go index 455569ce7..e5d893ee1 100644 --- a/pkg/apis/etcd/v1beta2/restore_types.go +++ b/pkg/apis/etcd/v1beta2/restore_types.go @@ -55,7 +55,7 @@ type RestoreSource struct { type S3RestoreSource struct { // Path is the full s3 path where the backup is saved. // The format of the path must be: "/" - // e.g: "etcd-backups/v1/default/example-etcd-cluster/3.1.8_0000000000000001_etcd.backup" + // e.g: "etcd-backups/v1/default/example-etcd-cluster/3.2.10_0000000000000001_etcd.backup" Path string `json:"path"` // The name of the secret object that stores the AWS credential and config files. diff --git a/pkg/backup/backup_manager.go b/pkg/backup/backup_manager.go index 1d1b3330d..4eb13e854 100644 --- a/pkg/backup/backup_manager.go +++ b/pkg/backup/backup_manager.go @@ -58,8 +58,8 @@ func NewBackupManagerFromWriter(kubecli kubernetes.Interface, bw writer.Writer, // and returns file size and full path. // the full path has the format of prefix/__etcd.backup // e.g prefix = etcd-backups/v1/default/example-etcd-cluster and -// backup object name = 3.1.8_0000000000000001_etcd.backup -// full path is "etcd-backups/v1/default/example-etcd-cluster/3.1.8_0000000000000001_etcd.backup". +// backup object name = 3.2.10_0000000000000001_etcd.backup +// full path is "etcd-backups/v1/default/example-etcd-cluster/3.2.10_0000000000000001_etcd.backup". func (bm *BackupManager) SaveSnapWithPrefix(prefix string) (string, error) { etcdcli, rev, err := bm.etcdClientWithMaxRevision() if err != nil { diff --git a/pkg/util/k8sutil/k8sutil.go b/pkg/util/k8sutil/k8sutil.go index fbfe786a0..f94c250e4 100644 --- a/pkg/util/k8sutil/k8sutil.go +++ b/pkg/util/k8sutil/k8sutil.go @@ -249,10 +249,16 @@ func NewEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state, "etcd_cluster": clusterName, } - if strings.HasPrefix(cs.Version, "3.0.") { - // DNS entries might not warm up initially. 3.0.x etcd will exit without retrying. - commands = fmt.Sprintf("sleep 5; %s", commands) - } + // In etcd 3.2, TLS listener will do a reverse-DNS lookup for pod IP -> hostname. + // If DNS entry is not warmed up, it will return empty result and peer connection will be rejected. + ft := ` + while ( ! nslookup %s ) + do + sleep 2 + done + %s + ` + commands = fmt.Sprintf(ft, m.Addr(), commands) container := containerWithLivenessProbe(etcdContainer(commands, cs.BaseImage, cs.Version), etcdLivenessProbe(cs.TLS.IsSecureClient())) if cs.Pod != nil { diff --git a/test/e2e/backup_test.go b/test/e2e/backup_test.go index b5b1a0655..27cfe06e6 100644 --- a/test/e2e/backup_test.go +++ b/test/e2e/backup_test.go @@ -126,7 +126,7 @@ func testEtcdRestoreOperatorForS3Source(t *testing.T, s3Path string) { f := framework.Global restoreSource := api.RestoreSource{S3: e2eutil.NewS3RestoreSource(s3Path, os.Getenv("TEST_AWS_SECRET"))} - er := e2eutil.NewEtcdRestore("test-etcd-restore-", "3.1.8", 3, restoreSource) + er := e2eutil.NewEtcdRestore("test-etcd-restore-", "3.2.10", 3, restoreSource) er, err := f.CRClient.EtcdV1beta2().EtcdRestores(f.Namespace).Create(er) if err != nil { t.Fatalf("failed to create etcd restore cr: %v", err) diff --git a/test/e2e/basic_test.go b/test/e2e/basic_test.go index 3e80799ce..ef260a410 100644 --- a/test/e2e/basic_test.go +++ b/test/e2e/basic_test.go @@ -107,7 +107,8 @@ func TestEtcdUpgrade(t *testing.T) { } f := framework.Global origEtcd := e2eutil.NewCluster("test-etcd-", 3) - origEtcd = e2eutil.ClusterWithVersion(origEtcd, "3.0.16") + origEtcd = e2eutil.ClusterWithVersion(origEtcd, "3.1.10") + origEtcd.Spec.BaseImage = "quay.io/coreos/etcd" testEtcd, err := e2eutil.CreateCluster(t, f.CRClient, f.Namespace, origEtcd) if err != nil { t.Fatal(err) @@ -119,13 +120,14 @@ func TestEtcdUpgrade(t *testing.T) { } }() - err = e2eutil.WaitSizeAndVersionReached(t, f.KubeClient, "3.0.16", 3, 6, testEtcd) + err = e2eutil.WaitSizeAndVersionReached(t, f.KubeClient, "3.1.10", 3, 6, testEtcd) if err != nil { t.Fatalf("failed to create 3 members etcd cluster: %v", err) } + targetVersion := "3.2.10" updateFunc := func(cl *api.EtcdCluster) { - cl = e2eutil.ClusterWithVersion(cl, "3.1.8") + cl = e2eutil.ClusterWithVersion(cl, targetVersion) } _, err = e2eutil.UpdateCluster(f.CRClient, testEtcd, 10, updateFunc) if err != nil { @@ -133,7 +135,7 @@ func TestEtcdUpgrade(t *testing.T) { } // We have seen in k8s 1.7.1 env it took 35s for the pod to restart with the new image. - err = e2eutil.WaitSizeAndVersionReached(t, f.KubeClient, "3.1.8", 3, 10, testEtcd) + err = e2eutil.WaitSizeAndVersionReached(t, f.KubeClient, targetVersion, 3, 10, testEtcd) if err != nil { t.Fatalf("failed to wait new version etcd cluster: %v", err) } diff --git a/test/e2e/e2esh/self_hosted_test.go b/test/e2e/e2esh/self_hosted_test.go index ad70e1426..ae11d5db8 100644 --- a/test/e2e/e2esh/self_hosted_test.go +++ b/test/e2e/e2esh/self_hosted_test.go @@ -85,7 +85,7 @@ func startEtcd(f *framework.Framework) (*v1.Pod, error) { Containers: []v1.Container{{ Command: []string{"/bin/sh", "-ec", etcdCmd}, Name: "etcd", - Image: "quay.io/coreos/etcd:v3.1.8", + Image: "gcr.io/etcd-development/etcd:v3.2.10", Env: []v1.EnvVar{{ Name: "POD_NAME", ValueFrom: &v1.EnvVarSource{FieldRef: &v1.ObjectFieldSelector{FieldPath: "metadata.name"}}, diff --git a/test/e2e/e2eutil/spec_util.go b/test/e2e/e2eutil/spec_util.go index 150c47684..ad78beda7 100644 --- a/test/e2e/e2eutil/spec_util.go +++ b/test/e2e/e2eutil/spec_util.go @@ -78,8 +78,9 @@ func NewEtcdRestore(restoreName, version string, size int, restoreSource api.Res }, Spec: api.RestoreSpec{ ClusterSpec: api.ClusterSpec{ - Size: size, - Version: version, + BaseImage: "gcr.io/etcd-development/etcd", + Size: size, + Version: version, }, RestoreSource: restoreSource, }, diff --git a/test/e2e/e2eutil/tls.go b/test/e2e/e2eutil/tls.go index 90b2b0304..920e2f5fe 100644 --- a/test/e2e/e2eutil/tls.go +++ b/test/e2e/e2eutil/tls.go @@ -35,7 +35,12 @@ func PreparePeerTLSSecret(clusterName, ns, secretName string) error { certPath := filepath.Join(dir, "peer.crt") keyPath := filepath.Join(dir, "peer.key") caPath := filepath.Join(dir, "peer-ca.crt") - hosts := []string{fmt.Sprintf("*.%s.%s.svc", clusterName, ns)} + hosts := []string{ + fmt.Sprintf("*.%s.%s.svc", clusterName, ns), + // Due to issue https://github.com/coreos/etcd/issues/8797, + // we need to provide FQDN in certs at the moment. + fmt.Sprintf("*.%s.%s.svc.cluster.local", clusterName, ns), + } err = prepareTLSCerts(certPath, keyPath, caPath, hosts) if err != nil {